Automated testing for SQL injection vulnerabilities: An input mutation approach

Dennis Appelt; Cu Duy Nguyen; Lionel C. Briand; Nadia Alshahwan

doi:10.1145/2610384.2610403

Automated testing for SQL injection vulnerabilities: An input mutation approach

Dennis Appelt
, Cu Duy Nguyen
, Lionel C. Briand
, Nadia Alshahwan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

Original language	English
Title of host publication	2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings
Publisher	Association for Computing Machinery, Inc
Pages	259-269
Number of pages	11
ISBN (Electronic)	9781450326452
DOIs	https://doi.org/10.1145/2610384.2610403
Publication status	Published - 21 Jul 2014
Externally published	Yes
Event	23rd International Symposium on Software Testing and Analysis, ISSTA 2014 - San Jose, United States Duration: 21 Jul 2014 → 25 Jul 2014

Publication series

Name	2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings

Conference

Conference	23rd International Symposium on Software Testing and Analysis, ISSTA 2014
Country/Territory	United States
City	San Jose
Period	21/07/14 → 25/07/14

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 16 Peace, Justice and Strong Institutions

Keywords

Mutation testing
SQL injection
Test generation

Access to Document

10.1145/2610384.2610403

Cite this

Appelt, D., Nguyen, C. D., Briand, L. C., & Alshahwan, N. (2014). Automated testing for SQL injection vulnerabilities: An input mutation approach. In 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings (pp. 259-269). (2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings). Association for Computing Machinery, Inc. https://doi.org/10.1145/2610384.2610403

Appelt, Dennis ; Nguyen, Cu Duy ; Briand, Lionel C. et al. / Automated testing for SQL injection vulnerabilities : An input mutation approach. 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings. Association for Computing Machinery, Inc, 2014. pp. 259-269 (2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings).

@inproceedings{4151da900b1e479d88d062326cc8e788,

title = "Automated testing for SQL injection vulnerabilities: An input mutation approach",

abstract = "Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.",

keywords = "Mutation testing, SQL injection, Test generation",

author = "Dennis Appelt and Nguyen, \{Cu Duy\} and Briand, \{Lionel C.\} and Nadia Alshahwan",

year = "2014",

month = jul,

day = "21",

doi = "10.1145/2610384.2610403",

language = "English",

series = "2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings",

publisher = "Association for Computing Machinery, Inc",

pages = "259--269",

booktitle = "2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings",

}

Appelt, D, Nguyen, CD, Briand, LC & Alshahwan, N 2014, Automated testing for SQL injection vulnerabilities: An input mutation approach. in 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings. 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings, Association for Computing Machinery, Inc, pp. 259-269, 23rd International Symposium on Software Testing and Analysis, ISSTA 2014, San Jose, United States, 21/07/14. https://doi.org/10.1145/2610384.2610403

Automated testing for SQL injection vulnerabilities: An input mutation approach. / Appelt, Dennis; Nguyen, Cu Duy; Briand, Lionel C. et al.
2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings. Association for Computing Machinery, Inc, 2014. p. 259-269 (2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automated testing for SQL injection vulnerabilities

T2 - 23rd International Symposium on Software Testing and Analysis, ISSTA 2014

AU - Appelt, Dennis

AU - Nguyen, Cu Duy

AU - Briand, Lionel C.

AU - Alshahwan, Nadia

PY - 2014/7/21

Y1 - 2014/7/21

N2 - Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

AB - Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

KW - Mutation testing

KW - SQL injection

KW - Test generation

UR - https://www.scopus.com/pages/publications/84929709792

U2 - 10.1145/2610384.2610403

DO - 10.1145/2610384.2610403

M3 - Conference contribution

AN - SCOPUS:84929709792

T3 - 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings

SP - 259

EP - 269

BT - 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings

PB - Association for Computing Machinery, Inc

Y2 - 21 July 2014 through 25 July 2014

ER -

Appelt D, Nguyen CD, Briand LC, Alshahwan N. Automated testing for SQL injection vulnerabilities: An input mutation approach. In 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings. Association for Computing Machinery, Inc. 2014. p. 259-269. (2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings). doi: 10.1145/2610384.2610403

Automated testing for SQL injection vulnerabilities: An input mutation approach

Abstract

Publication series

Conference

UN SDGs

Keywords

Access to Document

Other files and links

Fingerprint

Cite this